The end of the SHA-1 SSL certificates

It’s been a long time coming, but in the next version of Google’s Chrome, HTTPS websites with an SHA-1 certificate will be clearly marked as unsafe with a red cross in the URL bar.

What does this mean exactly?

Google announced the change a while ago , but come the next version of Chrome, it’s going into effect. Websites that still use an SSL certificate with the SHA-1 encryption algorithm will be clearly marked as unsafe.

The website will still load however. The user doesn’t have to click through the typical “Your connection is not private. Are you sure you want to continue?” screen. So there’s no “obstacle” when approaching the site.

But the URL bar will no longer show the trusted green HTTPs icon. Instead it shows a very clear red cross to indicate that this connection is actually unsafe.

Why is SHA-1 unsafe?

Some time ago it was discovered that the encryption of the SHA-1 algorithm is no longer resistant to the amount of computing power found in current computers. That’s why for some time now the SHA-256 algorithm has been used to publish new SSL certificates.

All Nucleus certificates in recent years have been published with the SHA-256 algorithm.

What does the unsafe-notification look like?

We can take a peak on a website that’s well known amongst geeks: XKCD.

In the current Chrome version, 41, the website loads perfectly. However, the green text on the HTTPS icon disappeared some time ago, to indicate that this adjustment was coming.

If we visit the website in the latest Chrome Beta or Chrome Canary version, that respectively contain version 42 and 44 of the Chrome browser, we already get a different notification.

The website still loads, but it does make it clear that this is an unsafe connection, even though the SSL certificate is valid. The notification is only shown for SHA-1 certificates with an ultimate expiration date of 2016 or later. Certificates that expire before 2016 don’t get this notification.

The entire chain matters

SSL certificates are built on a whole chain of trust, from Root Certificates to Intermediates to the final Domain or Organization SSL certificate. In the case of the XKCD website the Domain Certificate is fine, but the intermediate isn’t.

The ordered SSL certificate had the correct SHA-256 algorithm, but the intermediate unfortunately didn’t. That’s why Chrome marks it as unsafe.

What does Nucleus do?

Of course we haven’t been sitting around twiddling our thumbs. At one time we did publish SSL certificates with the SHA-1 algorithm, because that had the best browser support and was “OK” to do back then. But the times have changed, especially in the security world.

All customers that still have an SHA-1 certificate that was ordered through us, will be contacted by us to replace their certificate.

Need help?

Are you unsure whether or not your SSL connection will still work with the next version of Google Chrome? Don’t hesitate to contact us, our support team will gladly help you.